One answer as to why control systems are still so vulnerable

The following question was asked May 12, 2018 on the SANS ICS Community site: “I am gonna assess hydro power plant running several turbine generators controlled by SCADA Scala 250 from Andritz. This a very specific ICS environment.  I am curious if someone here has any experience with this kind of assessment with hydro power plants and power turbines. I need to know what's the most critical functional blocks here and where to focus.”

There are several issues screaming about this post. Doesn’t the operator understand the need? In reality, why was the operational group that understands SCADA not involved? Why was the IT security organization that doesn’t understand SCADA putting out the RFP and making the vendor selection? How can the operator accept an assessment by someone having to reach out to even understand what to assess? Unfortunately, this is the norm not the exception.

For those that don’t believe this is a disaster waiting to happen, read

Joe Weiss